Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
207
Views
0
Helpful
4
Replies

Catalyst 9500 HTTPS responds from network and broancast addresses

Artem Martynyuk
Level 1
Level 1

‎07-18-2024 01:59 AM

Hello!

Sec team scaned ip ranges and reported that a number of branch Cat9500 core switches respond to network and broadcast addresses:

CORE1#sh run all | b interface Vlan 21
interface Vlan21
mvrp timer leave-all 1000
mvrp timer leave 60
mvrp timer join 20
no mvrp timer periodic
no mvrp
ip address 10.8.16.2 255.255.255.0
ip redirects
ip unreachables
ip proxy-arp
ip mtu 9198
ip pim join-prune-interval 60
ip pim dr-priority 1
ip pim query-interval 30
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip cef accounting non-recursive internal
ip load-sharing per-destination
ip route-cache cef
ip route-cache
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp v3-query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
ip ospf network broadcast
ip ospf resync-timeout 40
ip ospf dead-interval 40
ip ospf hello-interval 10
ip ospf priority 1
ip ospf retransmit-interval 5
ip ospf transmit-delay 1
no ip ospf flood-reduction
no ip ospf demand-circuit
no ip ospf mtu-ignore
no ip ospf database-filter all out
no ip ospf adjacency stagger
ip ospf 100 area 100
ip ospf cost 1
load-interval 300
carrier-delay 2
no shutdown
no medium p2p
no macsec replay-protection
no macsec
ipv6 nd reachable-time 0
ipv6 nd ns-interval 0
ipv6 nd dad attempts 1
ipv6 nd dad loopback detect
ipv6 nd prefix framed-ipv6-prefix
ipv6 nd nud igp
no ipv6 nd ra solicited unicast
ipv6 nd ra lifetime 1800
ipv6 nd ra interval 200
ipv6 mfib forwarding input
ipv6 mfib forwarding output
ipv6 mfib cef input
ipv6 mfib cef output
ipv6 redirects
ipv6 unreachables
snmp trap link-status
no mka pre-shared-key
mka default-policy
autonomic
vrrp 21 address-family ipv4
no shutdown
description DEFAULT GATEWAY FOR VLAN 21

timers advertise 1000
priority 254
preempt delay minimum 30
match-address
no vrrpv2
address 10.8.16.1 primary
exit-vrrp
arp arpa
arp timeout 14400
spanning-tree port-priority 128
spanning-tree cost 0
ethernet oam max-rate 10
ethernet oam min-rate 1
ethernet oam remote-loopback timeout 2
ethernet oam timeout 5
hold-queue 375 in
hold-queue 40 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
!

...

CORE1#sh run | in http
no http secure server-identity-check
destination transport-method http
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Loopback0

Cisco IOS XE Software, Version 16.09.05
Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.9.5, RELEASE SOFTWARE (fc1)

I am connecting from 10.55.144.0 ip range to https://10.8.16.0 and login with local user. and https://10.8.16.255 

I am realy surprised. My PC netstat at the moment looks like:

 TCP 10.55.144.19:56885 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56887 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56935 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56936 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56937 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56938 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56939 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56940 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56941 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56942 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56943 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56944 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56945 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56946 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56947 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56948 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56949 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56951 10.8.16.0:443 TIME_WAIT
TCP 10.55.144.19:56952 10.8.16.0:443 TIME_WAIT

and 9500 reports: 


TCB Local Address Foreign Address (state)
7F2135A70440 192.168.1.6.443 192.168.1.5.44794 TIMEWAIT
7F2135A516A0 10.8.1.2.11351 ISE1 TIMEWAIT
7F2135FFE6F8 192.168.1.6.443 192.168.1.5.44790 TIMEWAIT
7F2135B4E448 10.8.1.2.28965 ISE1 TIMEWAIT
7F2135AFDF70 192.168.1.6.443 192.168.1.5.44800 TIMEWAIT
7F21359D4410 10.8.1.2.39919 ISE1 CLOSED
7F2135A4D8A8 10.8.1.2.51422 ISE1 ESTAB
7F2132A982F8 192.168.1.6.443 192.168.1.5.44792 TIMEWAIT
7F212CBE8000 10.8.1.2.22 DESKTOP-4B954FI.corp ESTAB
7F212A490C10 192.168.1.6.443 192.168.1.5.44802 TIMEWAIT
7F2134F96ED8 192.168.1.6.443 192.168.1.5.44798 TIMEWAIT
7F212A480238 10.8.1.2.49704 ISE1 TIMEWAIT
7F2135A62A48 192.168.1.6.443 192.168.1.5.44796 TIMEWAIT
7F2132A982F8 192.168.1.6.443 192.168.1.5.44812 TIMEWAIT
7F2135D88CF8 192.168.1.6.443 192.168.1.5.44810 TIMEWAIT
7F2135DC1D78 10.8.1.2.25366 ISE1 LASTACK
7F2135A62A48 192.168.1.6.443 192.168.1.5.44814 TIMEWAIT
7F212A480238 192.168.1.6.443 192.168.1.5.44808 TIMEWAIT
7F21359D0C20 192.168.1.6.443 192.168.1.5.44806 TIMEWAIT
7F2135FADFD0 192.168.1.6.443 192.168.1.5.44804 TIMEWAIT
7F212CBE8000 10.8.1.2.22 my-PC ESTAB
7F2135826BB0 10.8.1.2.51278 ISE1 ESTAB

there are TACACS session to ISE1, myPC ssh session and a number of 443 sessions between 192.168.1.6 and 192.168.1.5. 

While I don't have any 192.168.1.0/24 addresses in the network and they I assume are from internal switch communications.

Having http access-class ACL also does not stop 9500 to respond to 10.8.16.0 address with http 403 error but I would like SW just do not communicate at all except its real ip address. 

Could anyone help to achieve that?

 

Labels:
0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎07-18-2024 05:17 AM

 

  - Have a look at this thread for hints : https://community.cisco.com/t5/switching/http-gui-access-through-broadcast-ips/td-p/4611942

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Artem Martynyuk
Level 1
Level 1
In response to marce1000

‎07-18-2024 09:02 AM

hello!

problem there looks the same but there is no solution for two years  

0 Helpful

DanielP211
VIP
VIP

‎07-18-2024 05:19 AM

What is the subnet 192.168.1.0/24 on your network? I'm not sure if I understand you correctly. Have you tried creating an ACL on the vlan 21 that would block all traffic to this IP? 

****Kindly rate all useful posts*****
0 Helpful

Artem Martynyuk
Level 1
Level 1
In response to DanielP211

‎07-18-2024 09:03 AM

I don't have any 192.168.0.0/16 in my network. It looks to be some part of internal switch communication 

0 Helpful
Customers Also Viewed These Support Documents